Alex Karasulu schrieb:
Interesting idea. As far as having to do a search we're still going
to have to lookup something to perform the authentication on bind.
Even if we're looking up the user on the native OS or in the server's
DIT we still have some kind of search in effect. Using native OS
authentication is a different matter in itself.
We could implement this kind of authentication name format by trying
to detect the syntax and then appropriately transforming the name into
a DN based on the domain to dn mapping in RFC 3088. See section 2.1
of [0] for a means to convert a DN to a domain name and vice versa.
This way principal [EMAIL PROTECTED] or apache.org\jhenne would be
transformed to uid=jhenne,dc=apache,dc=org before proceeding with the
bind operation.
How does this sound?
that's roughly what I am thinking of. However, a simple mapping is mist
likely not enough, since there may not be a 1:1 mapping from the
specified name to the DN to bind with (e.g. users spread over several
OUs may well share the same domain). I was thinking about the following
algorithm:
1. map the specified name to a base dn, like in your example. This might
be up to a specialized authentication module.
2. search this base dn for matching users
3. bind using this user's DN.
You are right, of course, that the search still needs to be carried out.
However, we're saving a network round-trip.
Joerg Henne
